Will 2019 be the year of GDPR-US? Don't count on it, but...

2018 was the year of GDPR. The European Union’s General Data Protection Regulation came into effect just over 6 months ago, with implications for businesses inside the EU and without.

While the regulation’s punitive powers have yet to be put fully to the test - although there are some strong contenders who may help us there sooner rather than later! - one side-effect of the new regime has been to fuel further debate in the US around the need - or otherwise - for similar legislation at Federal level.

This year saw more activity around data privacy rights at state level, most notably California’s Consumer Privacy Act which takes effect from 2020. The passing of that set of regulations, while considerably less robust than GDPR, served to make the debate around the need for Federal legislation to become a priority.

Silicon Valley has been divided on the subject. There have been outspoken advocates of the need for tougher privacy laws from the likes of Salesforce CEO Marc Benioff. More recently Microsoft’s Satya Nadella and Apple’s Tim Cook have added their voices to the calls for action. And last week, during his Congressional grilling, Google CEO Sundar Pichai praised the EU regulation as a “well thought out piece of legislation,” adding:

I’m of the opinion that we are better off with more of an overarching data protection framework for users, and I think that would be good to do.

On the other hand, Google was among those tech firms to lobby against the campaign to pass the California Consumer Privacy Act, along with Amazon, Microsoft and Facebook and others. There remains a suspicion that while public statements err on the side of ‘of course we do’, the lobbyists in Washington are delivering an ‘of course we don’t’ message to influential ears.

The point was made by Askhan Soltani, former Chief Technologist at the US Federal Trade Commission (FTC), at the UK Government’s Grand Committee on Fake News, which grilled Facebook main EMEA policy lead in the absence of CEO Mark Zuckerberg:

In the lead up to the passing of the California Consumer Privacy Act, Facebook came out publicly in support it but was in fact still lobbying behind the scenes against it. We have seen that time and again…I think they have a lot of influence, both politically and economically. In the US, a lot of the reticence to pass strong policy has been about killing the golden goose; it is a leading sector in the US economy and there is a lot of worry that regulation will hamper that. I think that is short-sighted…[Facebook] are clearly investing on the lobbying and policy side.

But Soltani also noted:

This is currently the first time I have seen in the US when the Administration, Congress and the companies are all aligned to pass federal privacy legislation, primarily to pre-empt the California law and to potentially give them carve-outs from GDPR, because the conservative Administration feels like it might be oppressive to business.

What do they think on Main Street?

So if the political will is there, what about the great American public? Won’t citizens see new legislation as an extension of the dreaded ‘Big Government’? While that’s a narrative that might play well in some quarters, a new study commissioned by SAS suggests that the US electorate may well be coming round to the idea of need to toughen up the rules in the wake of the Facebook data sharing revelations of the past 12 months.

Let’s put a pretty big caveat on this upfront - the SAS study polled 525 US consumers, so we’re not taking about an exhaustive plebiscite here. Add to that the vastly divergent political views of the two coasts compared to the mid-West and the ‘flyover states’ and that poll base is never going to provide a comprehensive indicator.

But if it’s taken at face value with those limitations acknowledged, the findings are still intriguing. The main findings:

• Some 67% of survey participants think the US government should do more to protect data privacy.
• Nearly three-quarters (73%) of respondents say they are more concerned about data privacy now than they were a few years ago.
• Just over two third (64%) feel their data is less secure today than it was a few years ago.
• Healthcare and banking are the sectors most trusted to look after personal data (47% and 46% approval respectively).
• Social media platforms are the least trusted with only 14% of respondents citing confidence.

There’s a generational split in evidence with Baby Boomers most concerned (78%), followed by Gen X-ers on 72%, while Millennials are least concerned on 66%. But those are still hefty percentages across all ages. So if the SAS study is to be believed, the appetite for action at Federal level appears to be there. But what form should that action take? The study suggests:

• 88% want the right to tell an organization not to sell or share their data.
• 80% want the right to know who their data is being sold to if it is.
• 73% want the right to known how their data is being used by an organization.
• 64% want the right to insist their data is deleted.

Lobbying ahoy

What a Federal data privacy regulatory regime should look like is set to be a major topic of debate in 2019 and various factions are already gearing up their lobbying and proposed requirements. The latest came last week from the non-profit Center for Democracy & Technology (CDT) which published its own draft bill. Key action items and principles include:

• Individual Rights - these mirror GDPR and the new California laws, but with the rights and exceptions clear and definitive for the benefit of consumers and covered entities alike.
• Portability - what is the proper role of data portability rules in federal privacy legislation, and how can legislative language reflect existing technical reality?
• Tech and Business Model Neutrality - the bill applies across all unregulated sectors and covers many different types of services, companies, and business models.
• Civil Rights - this focuses on unfair targeted advertising practices, particularly those that discriminate based on a protected or vulnerable class.
• Free Expression - new privacy protections need to minimize the burden on First Amendment protected activities.
• Collection, Use, and Sharing Limits - setting down limitations to protect the most sensitive uses of data.
• Pre-emption - a provision that pre-empts state laws addressing the types of commercial data processing addressed by this law, but preserves state-level requirements that may involve data processing but are outside the scope of the proposed bill.
• Disclosures - an acknowledgement that “transparency” provides limited privacy protections, but is a necessary component to privacy legislation.

As for enforcement, CDT calls for the authority to levy fines that are “fair but meaningful for a first-time violation of the law”. That said, there are suggestions that the maximum fine could be set as low as $41,500. Given that GDPR carries the power to fine up to 4% of total global turnover, that level of penalty would be laughable and scarcely a deterrent with teeth.

My take

There’s a clear direction of travel here and the main question is how quickly the journey involved takes. Last week 15 Democratic senators proposed the Data Care Act. A separate proposal from Democrat Senator Ron Wyden has pitched his own Consumer Data Protection Act, which includes a threat to jail executives at offending firms for up to 20 years. There’s less sign of enthusiasm to legislate from the Republican side of the aisle, although the Congressional grilling of Google boss Pichai saw members from the right making all the right noises about privacy.

My guess - don’t hold your breath for GDPR-US in 2019, but do expect the debate about what it would (will?) look like to ramp up a lot - almost as much as the lobbying bills will for the usual suspects in Silicon Valley!